Other non events queries work fine

Question

zwass · Answer

Which events tables are you accessing

zwass · Answer

Is this the live query interface or scheduled queries

sundsta · Answer

I tried `SELECT FROM file events LIMIT 10` and `SELECT FROM process events LIMIT 10`

sundsta · Answer

Distributed queries in the UI

zwass · Answer

`file events` requires that you configure the watch paths Did you do that

sundsta · Answer

I have not I ll look into that Still I believe process events should work without any additional config

zwass · Answer

I believe the `process events` needs additional configuration outside of osquery as well See <https osquery readthedocs io en stable deployment process auditing macos process auditing>

zwass · Answer

Some that do not need additional config are `disk events` try opening a dmg or `hardware events` plug any usb device

sundsta · Answer

I had not seen that page thank you

sundsta · Answer

Still no luck on `process events` even after modifying the audit config and a reboot

sundsta · Answer

Now testing with `osqueryi` if that matters at all

zwass · Answer

For any of those event types What does your config look like